Remove Authority Copying From Reactive

jzheaux · jzheaux · commit 793820acfa48 · 2025-11-03T13:31:30.000-07:00
We will re-address this when adding factors to ReactiveAuthenticationManager implementations. Issue gh-2603
diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/AuthenticationWebFilter.java b/web/src/main/java/org/springframework/security/web/server/authentication/AuthenticationWebFilter.java
@@ -16,10 +16,7 @@
 
 package org.springframework.security.web.server.authentication;
 
-import java.lang.reflect.Method;
-import java.util.Set;
 import java.util.function.Function;
-import java.util.stream.Collectors;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -30,7 +27,6 @@
 import org.springframework.security.authentication.ReactiveAuthenticationManagerResolver;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextImpl;
 import org.springframework.security.web.server.WebFilterExchange;
@@ -126,51 +122,12 @@ private Mono<Void> authenticate(ServerWebExchange exchange, WebFilterChain chain
 			.flatMap((authenticationManager) -> authenticationManager.authenticate(token))
 			.switchIfEmpty(Mono
 				.defer(() -> Mono.error(new IllegalStateException("No provider found for " + token.getClass()))))
-			.flatMap(this::applyCurrentAuthenication)
 			.flatMap(
 					(authentication) -> onAuthenticationSuccess(authentication, new WebFilterExchange(exchange, chain)))
 			.doOnError(AuthenticationException.class,
 					(ex) -> logger.debug(LogMessage.format("Authentication failed: %s", ex.getMessage()), ex));
 	}
 
-	private Mono<Authentication> applyCurrentAuthenication(Authentication result) {
-		return ReactiveSecurityContextHolder.getContext().map((context) -> {
-			Authentication current = context.getAuthentication();
-			if (current == null) {
-				return result;
-			}
-			if (!current.isAuthenticated()) {
-				return result;
-			}
-			if (!declaresToBuilder(result)) {
-				return result;
-			}
-			return result.toBuilder()
-			// @formatter:off
-				.authorities((a) -> {
-					Set<String> newAuthorities = a.stream()
-						.map(GrantedAuthority::getAuthority)
-						.collect(Collectors.toUnmodifiableSet());
-					for (GrantedAuthority currentAuthority : current.getAuthorities()) {
-						if (!newAuthorities.contains(currentAuthority.getAuthority())) {
-							a.add(currentAuthority);
-						}
-					}
-				})
-				.build();
-				// @formatter:on
-		}).switchIfEmpty(Mono.just(result));
-	}
-
-	private static boolean declaresToBuilder(Authentication authentication) {
-		for (Method method : authentication.getClass().getDeclaredMethods()) {
-			if (method.getName().equals("toBuilder") && method.getParameterTypes().length == 0) {
-				return true;
-			}
-		}
-		return false;
-	}
-
 	protected Mono<Void> onAuthenticationSuccess(Authentication authentication, WebFilterExchange webFilterExchange) {
 		ServerWebExchange exchange = webFilterExchange.getExchange();
 		SecurityContextImpl securityContext = new SecurityContextImpl();
diff --git a/web/src/test/java/org/springframework/security/web/server/authentication/AuthenticationWebFilterTests.java b/web/src/test/java/org/springframework/security/web/server/authentication/AuthenticationWebFilterTests.java
@@ -25,10 +25,8 @@
 import reactor.core.publisher.Mono;
 
 import org.springframework.security.authentication.BadCredentialsException;
-import org.springframework.security.authentication.NonBuildableAuthenticationToken;
 import org.springframework.security.authentication.ReactiveAuthenticationManager;
 import org.springframework.security.authentication.ReactiveAuthenticationManagerResolver;
-import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
@@ -178,31 +176,6 @@ public void filterWhenDefaultsAndAuthenticationFailThenUnauthorized() {
 		assertThat(result.getResponseCookies()).isEmpty();
 	}
 
-	@Test
-	public void filterWhenAuthenticatedThenCombinesAuthorities() {
-		String ROLE_EXISTING = "ROLE_EXISTING";
-		TestingAuthenticationToken existingAuthn = new TestingAuthenticationToken("username", "password",
-				ROLE_EXISTING);
-		given(this.authenticationManager.authenticate(any()))
-			.willReturn(Mono.just(new TestingAuthenticationToken("user", "password", "TEST")));
-		given(this.securityContextRepository.save(any(), any())).willReturn(Mono.empty());
-		this.filter = new AuthenticationWebFilter(this.authenticationManager);
-		this.filter.setSecurityContextRepository(this.securityContextRepository);
-		WebTestClient client = WebTestClientBuilder.bindToWebFilters(new RunAsWebFilter(existingAuthn), this.filter)
-			.build();
-		client.get()
-			.uri("/")
-			.headers((headers) -> headers.setBasicAuth("test", "this"))
-			.exchange()
-			.expectStatus()
-			.isOk();
-		ArgumentCaptor<SecurityContext> context = ArgumentCaptor.forClass(SecurityContext.class);
-		verify(this.securityContextRepository).save(any(), context.capture());
-		Authentication authentication = context.getValue().getAuthentication();
-		assertThat(authentication.getAuthorities()).extracting(GrantedAuthority::getAuthority)
-			.containsExactlyInAnyOrder(ROLE_EXISTING, "TEST");
-	}
-
 	/**
 	 * This is critical to avoid adding duplicate GrantedAuthority instances with the
 	 * same' authority when the issuedAt is too old and a new instance is requested.
@@ -232,31 +205,6 @@ public void filterWhenDefaultEqualsAuthorityThenNoDuplicates() {
 			.containsExactly(DefaultEqualsGrantedAuthority.AUTHORITY);
 	}
 
-	@Test
-	void doFilterWhenNotOverridingToBuilderThenDoesNotMergeAuthorities() throws Exception {
-		TestingAuthenticationToken existingAuthn = new TestingAuthenticationToken("username", "password", "FACTORONE");
-		given(this.authenticationManager.authenticate(any()))
-			.willReturn(Mono.just(new NonBuildableAuthenticationToken("user", "password", "FACTORTWO")));
-		given(this.securityContextRepository.save(any(), any())).willReturn(Mono.empty());
-		this.filter = new AuthenticationWebFilter(this.authenticationManager);
-		this.filter.setSecurityContextRepository(this.securityContextRepository);
-		WebTestClient client = WebTestClientBuilder.bindToWebFilters(new RunAsWebFilter(existingAuthn), this.filter)
-			.build();
-		client.get()
-			.uri("/")
-			.headers((headers) -> headers.setBasicAuth("test", "this"))
-			.exchange()
-			.expectStatus()
-			.isOk();
-		ArgumentCaptor<SecurityContext> context = ArgumentCaptor.forClass(SecurityContext.class);
-		verify(this.securityContextRepository).save(any(), context.capture());
-		Authentication authentication = context.getValue().getAuthentication();
-		SecurityAssertions.assertThat(authentication)
-			.authorities()
-			.extracting(GrantedAuthority::getAuthority)
-			.containsExactly("FACTORTWO");
-	}
-
 	@Test
 	public void filterWhenAuthenticationManagerResolverDefaultsAndAuthenticationFailThenUnauthorized() {
 		given(this.authenticationManager.authenticate(any()))
